Vim is the favorite editor for most Linux users out there, but the .swp file that it creates while you are editing a file can be used by a third-party to get your database credentials.
So, as al long as the webserver allows requests to dotfiles and you know the location (directory) of the file that will be edited with Vim, you can exploit this vulnerability.
Proof of concept
Imagine a scenario when a Linux user whos favorite editor is Vim, just bought NewDomainName.com and you know they will be installing WordPress on it.
If you are familiar with WordPress, you’ll know that the credentials for the database are stored in a file called wp-config.php located in the public directory.
You can easily make a python script that will try to download https://newdomainname.com/-wp-config.php.swp every second. Leave the script running, and as soon as someone starts editing the wp-config file using Vim, you will succesfully download the swap file.
After downloading, to open the file you can use: vim -r .wp-config.php.swp
PoC Video from WebDevEtc.com
NOTE: In the example above, I’ve used WordPress just as an example, but this vulnerability has nothing to with WordPress but with Vim editor’s swap files. WordPress is used for this example just because it stores its configuration file inside the public directory.
🤯 Taking the above example one step further:
One can easily grab a BuiltWith list of the 30M websites running WordPress and make a python script that will scan them for .wp-config.php.swp files.
